Analysis
-
max time kernel
137s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 07:54
Static task
static1
Behavioral task
behavioral1
Sample
0c4bb761d576afcb72bbed9b707d5cac6cc2cc2d14a7a830d10d5bd3a02eb1c5.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0c4bb761d576afcb72bbed9b707d5cac6cc2cc2d14a7a830d10d5bd3a02eb1c5.exe
Resource
win10v2004-en-20220113
General
-
Target
0c4bb761d576afcb72bbed9b707d5cac6cc2cc2d14a7a830d10d5bd3a02eb1c5.exe
-
Size
36KB
-
MD5
3248826e8a19b42a30b97ddcdc2e6d7e
-
SHA1
a90c2c55fa49d8ba2cf613f1886a08983335a3b4
-
SHA256
0c4bb761d576afcb72bbed9b707d5cac6cc2cc2d14a7a830d10d5bd3a02eb1c5
-
SHA512
132fb2f1b3705e8c546d1975a5145370cf1082d4cd0f5ad7735719b087514ecd0ddc05e03a12dcf811bf8e566a0fee819cfa2dd423753395ff621157916ab311
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 4688 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0c4bb761d576afcb72bbed9b707d5cac6cc2cc2d14a7a830d10d5bd3a02eb1c5.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 0c4bb761d576afcb72bbed9b707d5cac6cc2cc2d14a7a830d10d5bd3a02eb1c5.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0c4bb761d576afcb72bbed9b707d5cac6cc2cc2d14a7a830d10d5bd3a02eb1c5.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0c4bb761d576afcb72bbed9b707d5cac6cc2cc2d14a7a830d10d5bd3a02eb1c5.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeTiWorker.exe0c4bb761d576afcb72bbed9b707d5cac6cc2cc2d14a7a830d10d5bd3a02eb1c5.exedescription pid process Token: SeShutdownPrivilege 2656 svchost.exe Token: SeCreatePagefilePrivilege 2656 svchost.exe Token: SeShutdownPrivilege 2656 svchost.exe Token: SeCreatePagefilePrivilege 2656 svchost.exe Token: SeShutdownPrivilege 2656 svchost.exe Token: SeCreatePagefilePrivilege 2656 svchost.exe Token: SeSecurityPrivilege 5096 TiWorker.exe Token: SeRestorePrivilege 5096 TiWorker.exe Token: SeBackupPrivilege 5096 TiWorker.exe Token: SeIncBasePriorityPrivilege 464 0c4bb761d576afcb72bbed9b707d5cac6cc2cc2d14a7a830d10d5bd3a02eb1c5.exe Token: SeBackupPrivilege 5096 TiWorker.exe Token: SeRestorePrivilege 5096 TiWorker.exe Token: SeSecurityPrivilege 5096 TiWorker.exe Token: SeBackupPrivilege 5096 TiWorker.exe Token: SeRestorePrivilege 5096 TiWorker.exe Token: SeSecurityPrivilege 5096 TiWorker.exe Token: SeBackupPrivilege 5096 TiWorker.exe Token: SeRestorePrivilege 5096 TiWorker.exe Token: SeSecurityPrivilege 5096 TiWorker.exe Token: SeBackupPrivilege 5096 TiWorker.exe Token: SeRestorePrivilege 5096 TiWorker.exe Token: SeSecurityPrivilege 5096 TiWorker.exe Token: SeBackupPrivilege 5096 TiWorker.exe Token: SeRestorePrivilege 5096 TiWorker.exe Token: SeSecurityPrivilege 5096 TiWorker.exe Token: SeBackupPrivilege 5096 TiWorker.exe Token: SeRestorePrivilege 5096 TiWorker.exe Token: SeSecurityPrivilege 5096 TiWorker.exe Token: SeBackupPrivilege 5096 TiWorker.exe Token: SeRestorePrivilege 5096 TiWorker.exe Token: SeSecurityPrivilege 5096 TiWorker.exe Token: SeBackupPrivilege 5096 TiWorker.exe Token: SeRestorePrivilege 5096 TiWorker.exe Token: SeSecurityPrivilege 5096 TiWorker.exe Token: SeBackupPrivilege 5096 TiWorker.exe Token: SeRestorePrivilege 5096 TiWorker.exe Token: SeSecurityPrivilege 5096 TiWorker.exe Token: SeBackupPrivilege 5096 TiWorker.exe Token: SeRestorePrivilege 5096 TiWorker.exe Token: SeSecurityPrivilege 5096 TiWorker.exe Token: SeBackupPrivilege 5096 TiWorker.exe Token: SeRestorePrivilege 5096 TiWorker.exe Token: SeSecurityPrivilege 5096 TiWorker.exe Token: SeBackupPrivilege 5096 TiWorker.exe Token: SeRestorePrivilege 5096 TiWorker.exe Token: SeSecurityPrivilege 5096 TiWorker.exe Token: SeBackupPrivilege 5096 TiWorker.exe Token: SeRestorePrivilege 5096 TiWorker.exe Token: SeSecurityPrivilege 5096 TiWorker.exe Token: SeBackupPrivilege 5096 TiWorker.exe Token: SeRestorePrivilege 5096 TiWorker.exe Token: SeSecurityPrivilege 5096 TiWorker.exe Token: SeBackupPrivilege 5096 TiWorker.exe Token: SeRestorePrivilege 5096 TiWorker.exe Token: SeSecurityPrivilege 5096 TiWorker.exe Token: SeBackupPrivilege 5096 TiWorker.exe Token: SeRestorePrivilege 5096 TiWorker.exe Token: SeSecurityPrivilege 5096 TiWorker.exe Token: SeBackupPrivilege 5096 TiWorker.exe Token: SeRestorePrivilege 5096 TiWorker.exe Token: SeSecurityPrivilege 5096 TiWorker.exe Token: SeBackupPrivilege 5096 TiWorker.exe Token: SeRestorePrivilege 5096 TiWorker.exe Token: SeSecurityPrivilege 5096 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0c4bb761d576afcb72bbed9b707d5cac6cc2cc2d14a7a830d10d5bd3a02eb1c5.execmd.exedescription pid process target process PID 464 wrote to memory of 4688 464 0c4bb761d576afcb72bbed9b707d5cac6cc2cc2d14a7a830d10d5bd3a02eb1c5.exe MediaCenter.exe PID 464 wrote to memory of 4688 464 0c4bb761d576afcb72bbed9b707d5cac6cc2cc2d14a7a830d10d5bd3a02eb1c5.exe MediaCenter.exe PID 464 wrote to memory of 4688 464 0c4bb761d576afcb72bbed9b707d5cac6cc2cc2d14a7a830d10d5bd3a02eb1c5.exe MediaCenter.exe PID 464 wrote to memory of 4244 464 0c4bb761d576afcb72bbed9b707d5cac6cc2cc2d14a7a830d10d5bd3a02eb1c5.exe cmd.exe PID 464 wrote to memory of 4244 464 0c4bb761d576afcb72bbed9b707d5cac6cc2cc2d14a7a830d10d5bd3a02eb1c5.exe cmd.exe PID 464 wrote to memory of 4244 464 0c4bb761d576afcb72bbed9b707d5cac6cc2cc2d14a7a830d10d5bd3a02eb1c5.exe cmd.exe PID 4244 wrote to memory of 3136 4244 cmd.exe PING.EXE PID 4244 wrote to memory of 3136 4244 cmd.exe PING.EXE PID 4244 wrote to memory of 3136 4244 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0c4bb761d576afcb72bbed9b707d5cac6cc2cc2d14a7a830d10d5bd3a02eb1c5.exe"C:\Users\Admin\AppData\Local\Temp\0c4bb761d576afcb72bbed9b707d5cac6cc2cc2d14a7a830d10d5bd3a02eb1c5.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:464 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:4688 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0c4bb761d576afcb72bbed9b707d5cac6cc2cc2d14a7a830d10d5bd3a02eb1c5.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4244 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:3136
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2656
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:5096
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
aca2e8e7c8369e454a7f50240dc2551e
SHA1ce410dd9e6f6a65c23b52917f5cb69fbab7cadf8
SHA256a0e8fcfa8b92b0b88e84fae33796f2c9c7c136642790fb7ac6f5ab7bd9daeb19
SHA51282ad65926d66ac7937c02073e4e8245a32c774aa2857381446b85ed6aa8976df24f7c939d5f7201c0ba61e4a313b569a625201b8f7fc5f06abc2a4222d9707cc
-
MD5
aca2e8e7c8369e454a7f50240dc2551e
SHA1ce410dd9e6f6a65c23b52917f5cb69fbab7cadf8
SHA256a0e8fcfa8b92b0b88e84fae33796f2c9c7c136642790fb7ac6f5ab7bd9daeb19
SHA51282ad65926d66ac7937c02073e4e8245a32c774aa2857381446b85ed6aa8976df24f7c939d5f7201c0ba61e4a313b569a625201b8f7fc5f06abc2a4222d9707cc